Refinement and Verification of CBC Casper - Cryptology ePrint Archive
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Refinement and Verification of CBC Casper
Ryuya Nakamura∗† , Takayuki Jimba† , and Dominik Harz‡
∗Faculty of Engineering, The University of Tokyo
† Research and Development, LayerX
Email: {ryuya.nakamura,takayuki.jinba}@layerx.co.jp
‡ Department of Computing, Imperial College London
Email: d.harz@imperial.ac.uk
Abstract—Decentralised ledgers are a prime application case and similar PoW protocols consume large amounts of energy
for consensus protocols. Changing sets of validators have to and have limited throughput of transactions [9]. Suggested
agree on a set of transactions in an asynchronous network and improvements to consensus protocols include proof-of-stake
in the presence of Byzantine behaviour. Major research efforts
focus on creating consensus protocols under such conditions, (PoS) (e.g. [1], [10], [11]), chain-selection rules (e.g. [12]),
with proof-of-stake (PoS) representing a promising candidate restricted number of (trusted) validators (e.g. [13]), sharding
for decentralised ledgers. PoS aims to reduce the waste of (e.g. [14], [15]), and delegation of trust (e.g. [16], [17]).
energy inherent to proof-of-work (PoW) consensus protocols. These improvements, especially PoS, introduce further at-
However, a significant challenge is to get PoS protocols “right”,
tack vectors. Nothing at stake attacks describes the notion
i.e. ensure that they are secure w.r.t. safety and liveness. Security
proofs are provided using pen-and-paper approaches including that it is cost-free to produce alternative versions of a chain
the “Correct-by-Construction” (CBC) Casper proposed by the of blocks (or other consensus data structure) [18]. Long-
Ethereum project. CBC Casper’s design philosophy deviates from range attacks rewrite blockchain history and are related to
traditional consensus protocols as it is an abstract framework the fact that creating an alternative chain is practically cost-
to define consensus protocols and aims to prove its correctness
free. Long-range attacks also include the idea of “posterior
without loss of abstractness. Each member of the CBC Casper
family of protocols is defined by five parameters. CBC Casper corruption” [19]. Stake bleeding attacks are a form of long-
models the protocol by a state of each validator and messages range attacks where a coalition of attackers can rewrite the
sent by validators. Each validator can transition its state using blockchain history by including transactions from the current
messages by other validators that include their current consensus agreed-upon chain into an attacking chain [20]. The idea is
value and a justification (i.e. their previous messages). We extend
to include all transactions of the coalition into blocks that
CBC Casper in three ways. First, we summarise the research of
CBC Casper and extend the definitions of safety and liveness are created by the coalition and thereby increasing its relative
properties. To this end, we discuss an instance of CBC Casper stake. This attack works on PoS blockchains without check-
called Casper The Friendly GHOST (TFG), a consensus protocol pointing. Known leader schedules describe attacks where spe-
using a variant of the GHOST fork-choice rule. Second, we cific validators are targeted, since (parts of) the future validator
refine the properties of messages and states in CBC Casper and
leaders are public [18].
give a definition of blockchain safety for Casper TFG. Third,
we formally verify CBC Casper together with our additional Ethereum seeks to replace its current PoW consensus with
properties in the Isabelle/HOL proof assistant. a more efficient PoS protocol. In Ethereum, two proposals for
PoS are discussed. First, Casper the Friendly Finality Gadget
I. I NTRODUCTION (FFG) is introduced initially to provide finality in an existing
Consensus protocols are at the core of cryptocurrencies. blockchain consensus protocol via PoS [21]. This proposal is
They determine which set of transactions are considered glob- modified to a full PoS blockchain later [22]. Second, “Correct-
ally valid and need to ensure to be resilient against malicious by-Construction” (CBC) Casper is a proposal by Zamfir et
actors. Any rational actor has an incentive to cheat the system al. [23]. An extension to this work, the Minimal CBC Casper
to gain an advantage. Generally, a consensus protocol aims family of consensus protocols, is introduced in [1].
to ensure security through safety and liveness. Consensus CBC Casper1 intents to create a family of consensus pro-
protocols with Byzantine actors offer a trade-off of the two tocols which provides safety in asynchronous networks with
properties, as it is not possible to provide both safety and Byzantine faults. CBC Casper is an abstract framework to
liveness with at least one Byzantine fault in asynchronous design consensus protocols concerning validators that send
networks [2]–[4]. messages between each other. A protocol is described by
In cryptocurrencies, Nakamoto consensus introduced the five parameters and a “decision function” called a safety ora-
principle of proof-of-work (PoW) and combined this with cle [24]. Validators can transition their state based on messages
rewards paid to honest participants [5]. Nakamoto consen- received from other validators. However, if a validator needs
sus is secure under certain conditions when a majority of to decide between different results, the validator can query
nodes behaves honestly [6]–[8]. However, current consensus
protocols for cryptocurrencies are subject to an inherent trade- 1 Note: When we use the term CBC Casper we refer to the Minimal CBC
off between scalability and security [9]. Nakamoto consensus Casper paper by Zamfir et al. [1].Fig. 1. Our work is summarised in three steps. (1), we update the definition of asynchronous safety and discuss how CBC Casper handles safety and liveness
faults. (2), we refine the message and state properties of the Minimal CBC Casper paper [1]. (3), we formally verify CBC Casper in Isabelle/HOL. Dotted
lines indicate work-in-progress (WIP).
the safety oracle. The safety oracle is an abstract function that safety oracle and show that with 2/3 honest validators by
returns how many validators (by weight) vote for a specific weight, validators can reach decisions to finalise blocks.
consensus value. The current CBC Casper proposal introduces • Refinement of CBC Casper: We extended CBC Casper.
basic building blocks of a consensus protocol, but is not We capture the concept of message justification as a
a complete consensus protocol. It abstracts away the data binary relation and prove that messages are a strict partial
structure over which to reach consensus as consensus values order and well-founded. We show messages by validators
as well as the fork-choice rule that is employed to decide with no equivocation faults are well-ordered. Moreover,
between conflicting validators. Hence, it considers a special we introduce a necessary and sufficient condition of a
case of safety faults (equivocating validators) and does not message making a state transition and show a union of
consider liveness faults. By instantiating CBC Casper with states is a valid state. Last, we give a definition for
specific parameters like a data structure to reach consensus on blockchain specific safety for CBC Casper and prove
and fork-choice rules, additional faults need to be considered. safety for Casper TFG on a chain of blocks.
Nonetheless, the primary safety properties from Minimal CBC • Formal verification: We formally verify our work in the
Casper are inherited. Isabelle/HOL proof assistant. CBC Casper is defined as
Consensus protocols have been subject to rigorous anal- a locale in Isabelle/HOL which allows us to construct
ysis. The Nakamoto consensus protocol is analysed under multiple protocols which inherit already proven proper-
synchronous and asynchronous network models in [25], [26]. ties. We redefine a lemma of latest messages which is
Further, Badertscher et al. introduce a universally composable incorrect in [1]. Last, we re-formalise the Casper TFG
(UC) analysis of Bitcoin [27]. The UC principle is further protocol with a fork-choice rule that includes more blocks
used to extend the security properties of Ouroboros Praos [28] than the genesis. Our proofs in Isabelle/HOL are open
with Ouroboros Genesis [11]. The CBC Casper paper specifies source2 .
pen-and-papers proofs to verify safety given equivocating
validators, but does not follow the property- or simulation- B. Outline
based methods of previous work. We extend the current work
on CBC Casper to bring it closer to a full consensus protocol. Section II introduces our systematisation of knowledge of
We also give hints on how the protocol can be extended to CBC Casper. We discuss the safety and liveness of CBC
include and prove liveness properties. Casper in Section III. Next, we introduce refinements to CBC
Casper in Section IV. This is followed by the description of
A. Contribution our approach to formally verify CBC Casper in Isabelle/HOL
in Section V. Further, we present a more realistic construction
We summarise CBC Casper from three working papers [1], of CBC Casper the Friendly GHOST. We compare our contri-
[23], [29] and give further pointers from blog articles and butions to related work in Section VI. The article is concluded
talks where relevant. The details of our contributions are and future work is presented in Section VII.
summarised below and displayed in Figure 1.
• Refinement of safety and liveness: CBC Casper consid-
II. CBC C ASPER
ers a particular safety fault for its proofs. We extend this
work by presenting a general definition of asynchronous CBC Casper introduces a family of “correct-by-
safety and discuss extensions to provide safety and live- construction” consensus protocols. We first describe the
ness for protocols building on CBC Casper. To this end, CBC Casper approach, its parameters, followed by an
we discuss and refine Casper the Friendly GHOST (TFG), overview of the protocol.
a protocol that uses chains of blocks and a variant of
GHOST [12] as a fork-choice rule. Further, we revise the 2 https://github.com/LayerXcom/cbc-casper-proofA. Design approach TABLE I
CBC C ASPER PROTOCOL PARAMETERS .
CBC Casper abstracts consensus protocols by five param-
eters and provides a minimum specification. This minimum Parameter Name Definition
specification is intentionally abstract. It is designed to share a V Validator names V 6= ∅: A finite set of validators.
W Validator weights W : V → R+ : A function assigning
proof of safety within the range of the parameters and without
Pto V.
positive weights
assumptions on message delay. By restricting parameters, t Fault threshold t ∈ R+ , t < v∈V W(v): A pos-
consensus protocols can be instantiated to have other desirable itive number smaller than the total
weights of all validators.
properties without breaking the safety proof. For example, C Consensus values |C| > 1: A set of all consensus
we show a protocol where we restrict one parameter, the values.
consensus value, to a chain of blocks. For this, we provide E Estimator E : Σ → P(C) \ {∅}: A function that
returns the set of consensus values
a blockchain-specific safety proof in Section IV-C. from a protocol state Σ.
CBC Casper allows an iterative design of consensus proto-
cols by starting from the minimum specification equipped with
the proof of safety and the safety oracle. Also, we can discuss B. Parameters
the trade-offs between metrics such as latency to finality, the The parameters of CBC Casper are listed in Table I.
number of validators, and the number of messages required Validators V are the finite set of consensus-forming nodes4 .
for each protocol within one framework [30]. Because of this Weights W are assigned to each validator. In PoS consensus
design principle, the minimum specification of CBC Casper protocols, the weight can be decided by the amount of stake.
abstracts its implementation details including the data structure The fault threshold t is the upper bound of the added weight
of consensus values, block proposing mechanism, fork choice of validators which are subject to faults described in Section
rule, and signature scheme3 . Instances of CBC Casper are III-A. Consensus values C are the set of all possible values
introduced including Casper the Friendly Binary Consensus, which validators agree on. In a binary protocol, consensus
Casper TFG, and a sharding consensus protocol. values are a set {0, 1}. In blockchain protocols, they are the
Note that liveness is not covered by the Minimum CBC set of all possible blocks or chains. The estimator E is a
Casper specification and hence is discussed specifically in function executed by each validator in the consensus protocol.
each instance of a protocol. We describe this in Section III-D. Typically, this corresponds to the fork-choice rule and derives
An overview of CBC Casper’s design approach is given in consensus values from the protocol states Σ. For example,
Figure 2. Casper TFG uses a variant of GHOST [12] for the estimator.
Validators choose among consensus values if and only if the
3 Ali et al. [31] reviewed CBC Casper under the assumption of a “complete” estimator returns a set with multiple elements.
consensus protocol. However, by definition, Minimal CBC Casper is abstract.
Their comments are helpful for creating protocol instances that are based on C. States and messages
CBC Casper.
In CBC Casper, validators make decisions individually
based on their local states and a state consists of messages.
A state represents the set of messages that the validator at
that state received so far. A message is defined as a 3-tuple
consisting of an “estimate” c ∈ C, together with a “sender”
v ∈ V, and a “justification” σ ∈ Σ.
Definition 1 (Estimate, Sender, Justification):
Estimate((c, v, σ)) := c (1)
Sender((c, v, σ)) := v (2)
Justification((c, v, σ)) := σ (3)
Senders are other validators in the network and authenticated
e.g. by a digital signature. Estimates are votes on the con-
sensus value by a sender. For example, a certain chain of
blocks within a set of alternative chains. Last, the justification
Fig. 2. Minimal CBC Casper is an abstract framework. Protocols that use contains all previous messages that the validator received
Minimal CBC Casper are instances that share the faults and proofs of Minimal and provides an argument on why the consensus value was
CBC Casper. In this example we display how CBC Casper is used to create an reached. Specifically, validators can only have estimates which
instance of Casper the Friendly GHOST. First, the parameters are instantiated
(as described in Section III-D). Next, additional faults and safety proofs are the result of executing the estimator function E for the
are added as discussed in Section IV-C. Last, Casper TFG is constructed
and verified using Isabelle/HOL (see Section V-E). Note that the work on 4 In [1], the condition that V must be finite is not explicitly stated. This
Casper TFG is in progress and the list of faults and proofs listed here are not condition is reasonable if we consider the protocol is used in real world and
exhaustive. also necessary for the later proofs.justification. For example, in Casper TFG, estimates are the we need to consider faults that prevent consensus under these
blocks selected by its fork choice rule. Justifications are assumptions. For example, if a validator σi fails to send or
integral to safety oracles described in Section III-C. receive a message m, a state transition to σi ∪ {m} is not
The sets of possible states Σ and messages M are defined possible. This is considered a liveness fault (omission fault).
below. It is an interpretation how possible validators’ states However, in asynchronous networks omission faults cannot be
and messages evolve during the execution of the protocol. distinguished from latency.
Definition 2 (States and messages): We can prove safety by considering equivocation faults.
Equivocation is a Byzantine behaviour where a validator shows
Σ0 := {∅} (4)
different protocol execution [32].
n n
M := {m ∈ C × V × Σ | Definition 4 (Equivocation): In CBC Casper, equivocation
(5)
Estimate(m) ∈ E(Justification(m))} is defined as producing a pair of messages which do not justify
Σn := {σ ∈ Pfinite (M n−1 ) | each other.
(6)
∀m ∈ σ. Justification(m) ⊆ σ}, for n > 0 m1 ⊥ m2 :⇔ Sender(m1 ) = Sender(m2 ) ∧ m1 6= m2
∞
(10)
[ ∧ m1 ∈
/ Justification(m2 ) ∧ m2 ∈
/ Justification(m1 )
M := Mi (7)
i=0
∞
This is considered a fault because in a single execution of the
protocol, every time a validator sends a message, the validator
[
i
Σ := Σ (8)
i=0
must have seen their previous messages.
Definition 5 (Equivocating validators): Equivocating valida-
Pfinite is a power set function which only returns finite sets.
tors can show inconsistent decisions to different validators who
Hence all σ ∈ Σ and Justification(m) of m ∈ M are
received only one of the equivocating messages.
finite. We formally verify that Σn and M n are monotonically
growing, i.e. for all n ∈ N 5 , Σn ⊆ Σn+1 and M n ⊆ M n+1 . E(σ) := {v ∈ V | ∃m1 , m2 ∈ σ.
Note that a set of messages is not necessarily a state, i.e. do not (11)
m1 ⊥ m2 ∧ Sender(m1 ) = v}
necessarily exists in Σ. When m1 ∈ Justification(m2 ), m1 is
justified by m2 and m2 is a later message of m1 . The message Note that equivocation faults are accountable [13], i.e. a
sent by a validator which is not justified by any messages from deposit and slash mechanism to economically prevent equiv-
the same validator is called the latest message of the validator. ocating can be implemented because a pair of equivocating
Definition 3 (State transition): With a newly received mes- messages is a verifiable evidence.
sage, a validator can transition its state to a new state σ 0 , if For convenience, we define helper functions about equivo-
and only if σ 0 ∈ Σ. This is called state transition defined as cation faults. For this, we first define a function to measure
a relationship → which represents a set inclusion. the weight of a given set of validators.
Definition 6 (Weight measure):
σ1 → σ2 :⇔ σ1 ⊆ σ2 (9) X
W (V ) := W(v) (12)
A set of states which a state σ can transit to is called the future
v∈V
states of σ.
A final decision on a new consensus value is reached after Then we define a function to measure the weight of equivo-
seeing “enough” valid messages from validators determined cating validators.
by the safety oracle. The minimum specification only covers Definition 7 (Equivocation fault weight):
definitions of valid messages and states, state transitions, and
the safety oracle. Also, the minimum specification does not F (σ) := W (E(σ)) (13)
make any assumption of timing i.e. it is in an asynchronous
We define the set of states where there are t equivocation faults
network. Other specifications such as validators’ strategies
(by weight) or less.
(e.g. when they should send a message) are not specified.
Definition 8 (States with equivocation fault threshold):
III. S AFETY AND LIVENESS
Σt := {σ ∈ Σ | F (σ) ≤ t} (14)
We discuss faults, safety and liveness properties as well as
the safety oracle in CBC Casper. Last, we elaborate the current Moreover, we define the set of future states of σ where there
state of CBC Casper. are t equivocation faults or less.
Definition 9 (Future states with equivocation fault thresh-
A. Faults
old):
Validators are described by their local states {σi | 1 ≤ i ≤
n} ⊆ Σ. We assume that protocol-following validators can Futurest (σ) := {σ 0 ∈ Σt | σ → σ 0 } (15)
detect valid messages and transit to valid states. Therefore,
We need to discuss more kinds of faults other than equivo-
5 In this paper, N represents a set of integers greater or equal to 0. cation faults when we instantiate a protocol to prove liveness.B. Safety C. Safety oracle
CBC Casper claims that its family of consensus protocols To make a decision that holds in any future state, validators
is asynchronously safe, i.e. it is not possible for validators must detect that some properties hold in any future state where
to make inconsistent decisions in an asynchronous network, there are t equivocations or less. Although we can have a
without assumptions on the time delay between sending and detection rule specific to a certain protocol and properties,
receiving messages. In this section, we introduce asynchronous CBC Casper implements a general decision mechanisms called
safety of CBC Casper, modifying the definition in [1]. safety oracle so that the decision mechanism can be discussed
Validators in CBC Casper make decision on properties of inside the CBC approach. Different types of safety oracles are
consensus values6 . For example, in binary consensus protocols proposed including the clique oracle [30]. The draft of the
where C = {0, 1}, the property can be “a consensus value updated version of [1] has a section of safety oracle which
is 1”. In blockchain consensus protocols, the property is the has the definition of clique oracle and the unfinished proof
membership of a certain block b in a chain. of the correctness of the oracle, which is in parts described
Definition 10 (Block membership): A consensus value is a formally in [24]. In the rest of this section, we extend this
block which has a certain block b as its ancestor. work of safety oracle.
First, the concept of “clique” is introduced. Clique is a set
Pblock (b) := λb0 . b b0 (16)
of non-equivocating validators who are “locked on” a property
0
Here b b defined to return true if and only if b is an ancestor p, that is, validators who mutually see each other agreeing on p
block of b0 . A property is called to “hold at a state” if all the and will not see each other disagreeing on p in the observer’s
consensus values the estimator returns at the state satisfy the state. A validator is agreeing on p if and only if the latest
property. estimate (i.e. the estimate of its latest message) satisfies p.
Definition 11 (Decision): Validators in CBC Casper make A validator is disagreeing on p if and only if she is neither
decisions on safe properties defined as properties which hold agreeing on p nor equivocating.
in any future state where there are t equivocation faults by Definition 12 (Clique): In a state σ, a clique is a set of
weight or less. Hence, a decision of a validator at a state σ is non-equivocating validators V such that for all v ∈ V , (i)
defined as: in the justification of the latest message of v, p holds at the
Decisions(σ) := {p | ∀σ 0 ∈ Futurest (σ 0 ). latest estimate of the other validators, and (ii) there is no later
(17) message of the other validators in σ whose estimate does not
∀c ∈ E(σ). p(c)}
satisfy p.
Decision on Pblock (b) means the finality of the block b. For the clique oracle to work, the target property must be a
Finally, we introduce the definition of safety. Safety is dis- max driven property i.e. a property which holds when the set of
cussed for n validators that have no more than t equivocation non-equivocating validators agreeing on the property is larger
faults by weight. Because CBC Casper models validators local than the set of non-equivocating validators disagreeing on the
states, this assumption is expressed as: there are no more than property by weight. The clique oracle makes a validator decide
t equivocation faults in the union of (local) states. on a property p when there is a clique larger than a certain
Theorem 1 (Safety): If there are t equivocation faults or threshold by weight. (Note that this threshold is different from
less in the union of states of a finite number n of validators, a equivocation fault threshold t.)
negation of a property decided by one validator is not decided Definition 13 (Clique oracle threshold):
by another validator.
n
T (σ) := W (V)/2 + t/2 − F (σ) (19)
[
{σi | 1 ≤ i ≤ n} ⊆ Σt . F ( σi ) ≤ t A blockchain consensus protocol explained in Section III-D
i=1
n
can adopt this threshold.
The validity of clique oracle is supported by this theorem.
[
=⇒ ∀p ∈ Decisions(σi ). (18)
i=1 Theorem 2 (Clique oracle detects safe properties): If there
[n is a clique for a max driven property p larger than T (σ), p
¬p∈
/ Decisions(σi ) holds in any future state of σ where there are t equivocations
i=1 or less.
In Appendix B, we show this theorem by extending the proofs
Our definition of safety is different from [1]. The reason of in Rush [24]. Concerning the Byzantine fault threshold t0 , we
this modification is explained in Appendix A. prove that t0 < W (V)/3 is a necessary and sufficient condition
We provide the proof of safety in this abstract form and for the protocol not to “get stuck” i.e. there are enough non-
elaborate on the safety of blockchain consensus protocols in faulty validators that can form a clique in Appendix C.
Section IV-C. Also, these are formally verified in Isabelle/HOL
The safety oracle is not yet finalised and is currently being
and the representation is introduced in Section V-C.
debated. The clique oracle described above is not shown to
6 The safety of decisions on properties of states is also discussed in [1]. We be optimal and further research w.r.t. computational efficiency
omit it in this paper for the sake of brevity. and latency for detection is left as future work.D. Liveness
The minimum specification provides safety and a safety
oracle but not liveness i.e. that validators eventually decide
on a proposed block. Proving liveness in the minimum spec-
ification is impossible because it does not make assumptions
on timing and we cannot prove both safety and liveness in an
asynchronous network [3]. Therefore, we need to instantiate a
specific protocol from CBC Casper and specify the validator Fig. 3. A clique in a blockchain. Plain arrows represent the chain structure
strategy to prove liveness. Also, additional faults other than and dotted arrows represent justifications. (Arrows of justifications to ancestor
blocks are omitted.) Validator A, C, and D form a clique for the first block
equivocation need to be considered. In this section, we discuss from A. All the blue blocks justify all the red blocks.
an instance of a protocol and how we can discuss liveness with
it, while we leave the complete and formally verified proof of
liveness as future work. a cartel. Also, when we consider using CBC Casper for a
We instantiate Casper TFG [1], which is a blockchain public blockchain, we should achieve a dynamic validator
consensus protocol where the consensus values are blocks and set because currently we are assuming static validator set V.
the fork-choice rule is a variant of GHOST [12] called latest We proposed a way to rotate validators specific to blockchain
message driven (LMD) GHOST that calculates the score of a consensus protocols based on modified LMD GHOST which
block only by the latest messages of validators. In Appendix D, calculate a score of a block by the weight extracted from the
we prove that the block membership property (Definition 10) blockchain [33], extending the proposal in [23].
is max driven in LMD GHOST so we can use the clique oracle There is a large gap between the minimum specification
from Section III-C. Here we instantiate it as a “vote-by-block” and an implementable specification. First, CBC Casper makes
style blockchain consensus protocol where all messages must no assumptions on how the sender of each message is au-
propose a new block as its estimate by specifying a certain thenticated but it is important when the protocols are used
mechanism of block proposer election7 . For this, we modify with untrusted parties. Buterin presented an issue about the
the estimator so that it only allows new blocks which extend efficiency of authentication in CBC Casper due to the diffi-
the head decided by LMD GHOST. Then, we discuss liveness culty of signature aggregation for messages [34]. Second, for
of this protocol. blockchain consensus protocols in CBC Casper the mechanism
Conjecture 1 (Liveness with clique oracle): Protocol- of block proposal and the fork-choice rule need to be specified.
following validators eventually reach a state σ ∈ Σt where These are closely related to the liveness of the protocol as
there exists a clique of Pblock (b) which is larger than T (σ) by discussed in Section III-D. Finally, the data size of justification
weight (under appropriate assumptions on fault and network). is a problem because the justification is defined to include all
In blockchain consensus protocol, the proposers of descendant messages the validator has seen. It is discussed to abandon
blocks of b are agreeing on Pblock (b) at the estimate of the messages other than the latest message of each validator and
message which proposed that block. Also, a message justifies retain the hashes of previous messages.
all the messages which proposed its ancestor blocks as a part
of the evidence of the fork choice. Therefore, a clique V for IV. R EFINEMENTS OF CBC C ASPER
Pblock (b) forms when each of validators in V has produced a We capture message justifications and state transitions in
descendant block of b and again produced a descendant block CBC Casper using binary relations and ordering. Message
of b justifying the first messages of all the validators in V , justifications and state transitions form the foundation of the
as illustrated in Figure 3. Moreover, a clique of Pblock (b) is formal verification described in Section V and the proofs of
also valid for Pblock (b0 ) if b0 is an ancestor block of b. From safety oracle in Appendix B. Moreover, using the lemmas of
these observations, we conjecture that if a sufficient number message justifications and state transitions, we also provide
of validators converges to the same chain, they form a clique the proof of asynchronous safety described in Section III-B.
which finalises blocks that are “deep” in the chain. We leave Furthermore, we instantiate blockchain consensus safety from
more detailed analysis of liveness as future work. this abstract safety. The lemmas and theorems introduced in
this section are proved in Isabelle/HOL.
E. Discussions First, we introduce a lemma prerequisite for our later proofs.
CBC Casper is an ongoing research and has possible ex- Lemma 1:
tensions and issues in both theory and practice. The previous
paper of CBC Casper by Zamfir [23] claims that to remove in- ∀σ ∈ Σ. ∀m ∈ σ. Justification(m) ⊆ σ (20)
protocol threshold by the decision-making rule based on the
subjective equivocation fault threshold t demotivate to form Proof: There exists n ∈ N s.t. σ ∈ Σn by the definition
7 We can also instantiate a “block-and-vote” protocol where the estimator
of Σ. When n = 0, we have σ = ∅ by the definition of Σ0
also allows proposed blocks as described in V-E. This is one of the design and hence ∀m ∈ σ. P for any P . This implies the goal. When
choices that CBC Casper is designed to provide. n ≥ 1, we can prove the goal by the definition of Σn .A. Message justification leads to contradiction because the size of Justification(mi ) is
Definition 14 (Message justification): We define message greater or equal to 0 and justifications of messages are finite
justifications as a binary relation over M . by the definition of Σn and M n .
Lemma 4: ≺ is a strict linear order on From sender(v, σ)
m1 ≺ m2 :⇔ m1 ∈ Justification(m2 ) (21) if σ ∈ Σ and v ∈ V is non-equivocating validator.
In this subsection we prove lemmas about ordered sets defined Proof: From sender(v, σ) is a subset of σ by the
with this relation. Also, we define a function From sender definition. Also, we can prove σ ⊆ M by the def-
which returns a set of messages in σ ∈ Σ sent by a validator inition of states and messages. From these, we have
v as follows. From sender(v, σ) ⊆ M . This, Lemma 2 and Lemma 3
Definition 15 (Messages from a sender): implies that ≺ on From sender(v, σ) is partially ordered and
well-founded. Then, we show the goal by showing that ≺
From sender(v, σ) = {m ∈ σ : Sender(m) = v} (22) on From sender(v, σ) is semi-connex i.e. any distinct pair of
messages in From sender(v, σ) are comparable under ≺:
Lemma 2: ≺ is a strict partial order on M .
Proof: We prove this lemma by showing that ≺ on M is ∀m1 , m2 ∈ M . m1 = m2 ∨ m1 ≺ m2 ∨ m2 ≺ m1 (27)
irreflexive and transitive. We first prove irreflexivity:
This is proven by the definition of equivocation and the
∀m ∈ M . ¬ m ≺ m (23) assumption v ∈ / E(σ).
Lemma 5: ≺ is a strict well order on From sender(v, σ) if
We assume that there exists m ∈ M such that m ≺ m
v ∈ V is non-equivocating validator.
towards contradiction. By the definition of M , there exists n ∈ Proof: We can prove this because by Lemma 3 and
N s.t. m ∈ M n . By the definition of M n , Justification(m) ∈ Lemma 4, ≺ on From sender(v, σ) is well-founded and a
Σn . When n = 0, we have Justification(m) = ∅ by strict linear order if v ∈ V is non-equivocating validator.
the definition of Σ0 and this contradicts to the assumption
m ∈ Justification(m). When n ≥ 1, Justification(m) ∈ Σn B. State transition
implies Justification(m) ∈ Pfinite (M n−1 ) by the definition We define state transition as a binary relationship → over Σ
of Σn . From this and m ∈ Justification(m), we have which is introduced in Section II-C. Then, we prove lemmas
m ∈ M n−1 . By repeating these, m ∈ M 0 is derived and about state transitions.
this makes the same contradiction in n = 0. Lemma 6: → is a partial order on Σ.
Next, we prove transitivity: Proof: We can prove this lemma by showing → has re-
∀m1 , m2 , m3 ∈ M . m1 ≺ m2 flexivity, transitivity and antisymmetry on Σ. These properties
(24) are obvious because → is a relation of subset.
∧ m2 ≺ m3 =⇒ m1 ≺ m3
Lemma 7: Receiving a single message m at a state σ makes
We use monotonicity of justification [1]: state transition if and only if Justification(m) ⊆ σ.
∀m, m0 ∈ M . m ≺ m0 ∀σ ∈ Σ. ∀m ∈ M. σ ∪ {m} ∈ Σ
0 (25) (28)
=⇒ Justification(m) ⊆ Justification(m ) ⇐⇒ Justification(m) ⊆ σ
From this and the assumption, we have Justification(m2 ) ⊆
Proof: First, we prove the =⇒ direction. By the assump-
Justification(m3 ). From this and the assumption m1 ∈
tion and Lemma 1, we have Justification(m) ⊆ σ∪{m}. This
Justification(m2 ), we have the goal m1 ∈ Justification(m3 ).
and the irreflexivity of justification implies the goal.
Finally, the irreflexivity and the transitivity of ≺ on M implies
Next, we prove the ⇐= direction. There exists n1 , n2 ∈
that it is a strict partial order.
N s.t. σ ∈ Σn1 ∧m ∈ M n2 . When n1 = 0, we have σ = ∅ by
Lemma 3: ≺ is well-founded on M .
the definition of Σ0 . From this and Justification(m) ⊆ σ, we
Proof: First, we prove strict monotonicity of justification:
have Justification(m) = ∅ and hence Justification(m) =
∀m, m0 ∈ M . m ≺ m0 Σ0 . From this and m ∈ M , we have m ∈ M 0 . Hence,
(26) {m} ∈ Pfinite (M 0 ). From this, σ ∪ {m} = {m} and
=⇒ Justification(m) ⊂ Justification(m0 )
Justification(m) ⊆ σ, we can show σ ∪ {m} ∈ Σ1 and hence
By the monotonicity of justification, we have σ ∪ {m} ∈ Σ.
Justification(m) ⊆ Justification(m0 ). Also, because of the When n1 ≥ 1, because Σn and M n are monotonic8 i.e.,
irreflexivity of justification, we have m ∈/ Justification(m) Σ ⊆ Σn+1 ∧ M n ⊆ M n+1 , there exists n0 ∈ N s.t. n0 ≥
n
These and the assumption m ∈ Justification(m0 ) implies the 0
1 ∧ n0 ≥ n1 ∧ n0 ≥ n2 ∧ σ ∈ Σn ∧ m ∈ M n . By the
0
strict monotonicity of justification. 0
definition of Σn , we have σ ∈ Pfinite (M n −1 ). From this and
Then, we prove the goal by contradiction. If there exists 0 0 0
M n −1 ⊆ M n , we have σ ∈ Pfinite (M n ). From this and
a infinite descending chain consists of elements of M i.e., a 0 0
m ∈ M n , we have σ ∪ {m} ∈ Pfinite (M n ). Also, by Lemma
sequence m0 , m1 , m2 ... such that mi+1 ≺ mi for all i ∈ 1 and σ ∈ Σ, we have ∀m ∈ σ. Justification(m) ⊆ σ and
N, the size of Justification(mi ) is decreasing monotonically
due to the strict monotonicity of justification. However, this 8 This is proved by induction. We omit the proof of it.hence ∀m ∈ σ ∪{m}. Justification(m) ⊆ σ ∪{m}. From this Second, backward consistency:
0 0
and σ ∪ {m} ∈ Pfinite (M n ), σ ∪ {m} ∈ Σn +1 is derived.
∀σ ∈ Σt . ∀σ 0 ∈ Futurest (σ). ∀p. p ∈ Decisions(σ 0 )
Therefore, we can show σ ∪ {m} ∈ Σ by the definition of Σ. (33)
=⇒ ¬ p ∈ / Decisions(σ)
Lemma 8: About a strict subset σ 0 of a state σ, the difference Sn
By Lemma 9, Swe have i=1 σi ∈ Σ. SnFrom this and the0
has a message m such that Justification(m) ⊆ σ 0 . (Note that n
assumption F ( i=1 i σ ) ≤ t, we have i=1 σi ∈ Σt . Let σ
σ 0 is a set of message but not necessarily a state.) Sn
be i=1 σi . Because ∀i ∈ N. i ≤ n =⇒ σi ⊆ σ 0 , we have
∀σ ∈ Σ. ∀σ 0 . σ 0 ⊂ σ σ 0 ∈ Futurest (σi ). (i.e. σ 0 is a common
(29) Sn future of the valida-
=⇒ ∃m ∈ σ − σ 0 . Justification(m) ⊆ σ 0 tors). By forward consistency, ∀p ∈ i=1 Decisions(σi ). p ∈
Decisions(σ 0 ). Therefore, by backward consistency, ¬ p ∈ /
n
Proof: By Lemma 1, we have Justification(m) ⊆ σ.
S
i=1 Decisions(σ i ).
We assume ∀m ∈ σ − σ 0 . Justification(m) * σ 0 towards Next, we explain this abstract safety which depends nei-
contradiction. From this, σ 0 ⊂ σ and Justification(m) ⊆ σ, ther on parameters nor properties and implies the safety in
we have ∀m ∈ σ − σ 0 . ∃m0 ∈ Justification(m). m0 ∈ σ − blockchain, i.e. validators do not decide on conflicting blocks.
σ 0 . This implies ∀m ∈ σ − σ 0 . ∃m0 ∈ σ − σ 0 . m0 ≺ m. Definition 16 (Block conflict): Two blocks are conflicting if
However, this leads contradiction because σ − σ 0 is a subset and only if neither block is the ancestor of the other block.
of M and hence we have ≺ have a minimal element on σ − σ 0
by Lemma 3. Conflicting(b1 , b2 ) := ¬ (b1 b2 ∨ b1 b2 ) (34)
Lemma 9: The union of a finite set of states is a state.
Proof: First, we prove a lemma that the union of two
Then, because we consider blockchain consensus protocols,
states is a state.
we restrict C to satisfy this condition, i.e. ancestor blocks do
∀σ1 , σ2 ∈ Σ. σ1 ∪ σ2 ∈ Σ (30) not conflict.
When σ1 ⊆ σ2 , this is obvious because σ1 ∪ σ2 = σ2 . We ∀b, b0 , b00 ∈ C. b b0 ∧ b00 b0 =⇒ b b00 ∨ b00 b (35)
prove the case when σ1 * σ2 . Using Lemma 7 and Lemma 8,
we can derive as follows. Finally, we introduce blockchain safety defined as:
∀σ, σ 0 ∈ Σ. σ * σ 0 Theorem 3 (No decision on conflicting blocks): If a validator
=⇒ σ ∩ σ 0 ⊂ σ at a state σ1 considers the block b1 finalised, a validator at a
state σ2 does not considers a block b2 finalised if b1 and b2
=⇒ ∃m ∈ σ − σ ∩ σ 0 . Justification(m) ⊆ σ ∩ σ 0 (31)
are conflicting when there are t equivocations or less at the
0 0
=⇒ ∃m ∈ σ − σ . Justification(m) ⊆ σ union of their state.
=⇒ ∃m ∈ σ − σ 0 . σ 0 ∪ {m} ∈ Σ ∀b1 , b2 ∈ C. ∀σ1 , σ2 ∈ Σt .
This means that when we have a pair of states σ and σ 0 such F (σ1 ∪ σ2 ) ≤ t ∧ Conflicting(b1 , b2 )
that σ 0 * σ, we can pick up a message m from the difference (36)
=⇒ Pblock (b1 ) ∈ Decisions(σ1 )
σ − σ 0 and get a new pair of states σ and σ 0 ∪ {m} such
that σ 0 ∪ {m} * σ. By repeating this n times where n is the =⇒ Pblock (b2 ) ∈
/ Decisions(σ2 )
number of messages in the σ − σ 0 , we eventually get a state
σ 0 ∪ {σ − σ 0 } = σ ∪ σ 0 . This complete the proof of the case Proof: Using the n = 2 case of safety Theorem 1,
when σ1 * σ2 . ¬ Pblock (b1 ) ∈/ Decisions(σ2 ) is derived. By this and the
Now we proved the lemma that the union of two states is definition of Decisions, we have ∃σ 0 ∈ Futurest (σ2 ). ∀b ∈
always a state. About a finite set of states, we can prove its E(σ 0 ). b1 b. Assume Pblock (b2 ) ∈ Decisions(σ2 ) towards
union is a state by using this lemma repeatedly. contradiction. Unfolding the definition of Decisions, we have
Lemma 9 also implies that there is no race condition i.e. ∀σ 0 ∈ Futurest (σ2 ). ∀b ∈ E(σ 0 ). b2 b. From this and
when σ ∪ {m1 } ∈ Σ and σ ∪ {m2 } ∈ Σ, the order of receiving ∃σ 0 ∈ Futurest (σ2 ). ∀b ∈ E(σ 0 ). b1 b, we have ∃σ 0 ∈
m1 and m2 does not matter because σ ∪ {m1 , m2 } ∈ Σ. Futurest (σ2 ). ∀b ∈ E(σ 0 ). b1 b ∧ b2 b. From this and
the assumption that ancestor blocks do not conflict, we have
C. Consensus Safety
b1 b2 ∨ b2 b1 . This makes contradiction to the assumption
In this subsection, we provide the proof sketch of Theorem Conflicting(b1 , b2 ).
1 and introduce blockchain-specific safety.
Proof: We prove Theorem 1. We use two lemmas regard- V. F ORMAL VERIFICATION OF CBC C ASPER
ing decisions9 . First, forward consistency: We introduce our work on formal verification of CBC
∀σ ∈ Σt . ∀σ 0 ∈ Futurest (σ). ∀p. p ∈ Decisions(σ) Casper10 . Isabelle/HOL is an interactive proof assistant that
(32)
=⇒ p ∈ Decisions(σ 0 ) utilises functional programming and higher-order logic [35].
9 These are extensions of Lemma 2 and Lemma 3 of [1] for properties of 10 Names of theorems and definitions in Isabelle/HOL are shortened from
consensus values. the public repository.A. Protocol definition theorem (in Protocol) n-party-consensus-safety :
∀ σ-set. σ-set ⊆ Σt
We instantiate CBC Casper with the parameters listed in −→ finite σ-set
Section II-B using Isabelle’s locale feature [36] to parameter-
S
−→ faults-lt-threshold ( σ-set)
S 0 0 0
ize theories as displayed in Figure 4. −→ (∀ p ∈ {decisions
S σ | σ . σ ∈ 0 σ-set}.
(λc. (¬ p c)) ∈ / {decisions σ | σ 0. σ 0 ∈ σ-set})
locale Protocol =
Fig. 6. Theorem n-party-consensus-safety in Isabelle/HOL.
fixes V :: validator set
and W :: validator ⇒ real
and t :: real
and C :: consensus-value set The theorem displayed in Figure 7 is the definition of Theo-
and ε :: message set ⇒ consensus-value set rem 3 in Isabelle/HOL. conflicting and membership represents
assumes V-type: V 6= ∅ ∧ finite V Definition 16 and Definition 10 respectively.
and W-type: ∀ v ∈ V. W v > 0
and t-type: 0 ≤ t t < sum W V theorem (in Blockchain) no-decision-on-conflicting-blocks :
and C-type: card C > 1 ∀ σ1 σ2. {σ1, σ2} ⊆ Σt
and ε-type: ∀ σ ∈ Σ. ε σ ∈ Pow C − {∅} −→ faults-lt-threshold (σ1 ∪ σ2)
−→ (∀ b1 b2. {b1, b2} ⊆ C ∧ conflicting (b1, b2)
Fig. 4. Excerpt of datatypes and locale definition of CBC Casper in −→ membership b1 ∈ decisions σ1
Isabelle/HOL.
−→ membership b2 ∈ / decisions σ2)
B. Types of functions Fig. 7. Theorem no-decision-on-conflicting-blocks in Isabelle/HOL.
Every function in CBC Casper is defined with their types,
using sets such as validators V, consensus values C, states D. Properties of message justification and state transition
Σ and messages M . As Isabelle does not support dependent We prove the properties of message justifications and state
types, we define them as set types and prove that the every transitions described in Section IV using theories of HOL
function we define matches with its original types11 . We show Session [37] and Restricted Predicates in AFP [38]. With the
as an example the Observed function defined in [1] as follows: message justification, we prove the below lemma from [1].
Lemma 10: Non-equivocating validators observed in a state
Observed : P(M ) → P(V) (37) σ have a single latest message in σ.
Observed(σ) := {Sender(m) : m ∈ σ} (38) Here a validator is called observed in a state if and only if there
exists a message from the validator in the state. This lemma is
Our definition and a lemma about the type of this function
important for clique orcle because the proof of its correctness
in Isabelle/HOL are shown in Figure 5. Although the type
depends on it [24] and also for LMD GHOST. However, as
validator set does not necessary force the function observed
it is already pointed out [39], the proof in [1] based on the
to return a set of validators in V, the lemma observed-type
relation of comparison of the size of justifications of message
proves the type of the output is P(V) if the type of the input
is not correct.
is P(M ). We proved lemmas like this for all functions to make
We formally verify this lemma in Isabelle/HOL as follows.
sure that their types are correct.
First, we prove that a latest message of a validator v in a state
definition observed :: message set ⇒ validator set σ is a maximal element about ≺ on From sender(v, σ). Next,
where as an independent contribution, we prove that a linear order
observed σ = {sender m | m. m ∈ σ} on non-empty finite set has one maximum by proving that:
• A strict partial order on non-empty finite set has at least
lemma (in Protocol) observed-type :
∀ σ ∈ Pow M. observed σ ∈ Pow V one maximal element.
• A strict partial order has at most one maximum.
Fig. 5. Definition of observed and a lemma of it. • A maximal element is a maximum in linearly ordered set.
From this theorem, we prove Lemma 10 because ≺ is a strict
C. Asynchronous safety linear order on From sender(v, σ) if v is an non-equivocating
We prove Theorem 1 and Theorem 3 in Isabelle/HOL. The validator as we described in IV-A.
theorem displayed in Figure 6 is the definition of Theorem 1 E. Casper the Friendly GHOST
in Isabelle/HOL.
Casper TFG is an instance of CBC Casper as introduced
σ-set represents the set of the validators’ states. finite σ-set
in Section III-D. In Casper TFG, consensus values are blocks
means that the Snumber of the validators is finite.
and the estimator is based on LMD GHOST. We construct
faults-lt-threshold( σ-set) states that in the union of the state
Casper TFG in Isabelle/HOL, modifying the construction in
of validators there are not more than t equivocation faults.
the CBC Casper paper. First, we defined LMD GHOST as
decisions represents Definition 11.
GHOST function.
11 The types validator, consensus value, message and state in Figure 4 are Next, we defined the estimator of Casper TFG. The original
supertypes of them. estimator function [1] only allows blocks in GHOST({g}, σ).function (in Ghost) GHOST :: (block set ∗ state) => block set work is extended by using the UC model [27]. The UC
where model for Bitcoin includes an adversary that can selectively
GHOST (b-set, σ) =
S
( b ∈ {b ∈ b-set. children (b, σ) 6= ∅}. insert or delay messages as well as adaptive corruption of
GHOST (best-children (b, σ), σ)) validators. Also, the ledger functionality is split into a lottery
∪ {b ∈ b-set. children (b, σ) = ∅} aspect and the remainder of the protocol. A UC treatment or
other simulation-based proof of CBC Casper including exact
Fig. 8. GHOST in Isabelle/HOL
definitions of ideal functionalities, protocols, and a simulator
is a promising direction for future work.
This results in a construct where no other block than the The family of Ouroboros consensus protocol is introduced
genesis block g can be proposed because GHOST({g}, σ) in [44]. Further, Ouroboros is extended for a semi-synchronous
returns blocks which is appeared in σ. Therefore, we modify network with Praos [45]. Unlike CBC Casper, Ouroboros and
the definition to include not only the result of LMD GHOST Praos are probabilistic consensus protocol. From the initial
but also the child blocks of them. simulation-based analysis, Ouroboros moved to a UC model
with Genesis [11]. Moreover, there is a repository including
E(σ) = GHOST({g}, σ)
[ formal verification of Ouroboros Praos [46] in Isabelle/HOL
∪ children(b, σ) (39) and an implementation in Haskell. This work introduces ideal
b∈GHOST({g},σ) functionalities, protocols, and a simulator that can be applied
This estimator can be used in “block-and-vote” protocol, to other PoS protocols, like CBC Casper, as well.
which has two types of messages i.e. messages which propose Algorand [47] is also proposals for PoS consensus proto-
a new block and messages which vote for a proposed block. cols. The protocol includes an assumption that 2/3 of the
weighted participants are honest or at least rational. This work
F. Improving the CBC Casper paper is relevant for its approach to validator election as this is not
We found several issues in [1] through the formal ver- covered in CBC Casper.
ification that are reported to the authors. We list these in HotStuff is a consensus protocol using a semi-synchronous
Appendix E. model with a leader requiring linear communication [48]. It
contributes a property termed optimistic responsiveness where
VI. R ELATED WORK a leader needs to wait only for a fraction of responses from
We compare our verification efforts to related work. Toy- other nodes (the total nodes minus the faulty ones) to guarantee
chain is a formalisation of a consensus protocol in the progress. Further, HotStuff offers a framework to analyse other
Coq proof assistant [40]. Toychain provides an explicit data protocols under which a version of Casper FFG is discussed.
structure, i.e. block forest, and parameters to instantiate the Other work extends consensus protocols by introducing
protocol. It offers a small-step semantics for message passing DAGs with an adoption of existing fork-choice rules, e.g.
and is proven to reach consensus after quiescent network under SPECTRE [49], PHANTOM [50]. The work on CBC Casper
an assumption that every nodes know each other. In our CBC is orthogonal to these proposals as the fork-choice rule as well
Casper proofs, the data structure of the consensus values are as the data structure are parameters in CBC Casper.
abstracted. Hence, our model can be applied to blockchains, VII. C ONCLUSION
DAGs, or other data constructs. Further, Toychain proves
We present a summary of CBC Casper and contribute re-
eventual consistency without considering Byzantine faults and
finements to the CBC Casper protocol family. Our refinements
leaves liveness properties as future work.
include a new definition of asynchronous safety for the CBC
Safety of a simplified version of CBC Casper is verified
Casper framework. Further, we define and prove blockchain
in Isabelle/HOL by Hirai [41]. It covers a binary consensus
safety and discuss liveness for a protocol instance called
where non-equivocating two-party validators, “max weight”
Casper TFG, which builds on a variant of GHOST. Next,
estimator and “tie braking” weights are allowed along with
we revise properties about messages and state transition and
simpler definitions of messages and states.
propose a revised clique oracle. We show that validators can
Casper FFG is initially verified in Isabelle/HOL by Hi-
reach decisions with a clique oracle where 2/3 of validators by
rai [42]. This work is extended by verifying Casper FFG in
weight are honest. Our work is verified using Isabelle/HOL.
the Coq proof assistant [43]. Notably, this work builds on Toy-
We are currently working on a complete specification of
chain. The proofs cover the two properties accountable safety
Casper TFG including validator rotation and a more efficient
and plausible liveness with a static finite set of validators. Both
construction to verify the DAG of messages. Future work also
proofs rely on the assumption that at least 2/3 of validators
includes revising our liveness proofs with a formal definition
behave honestly.
of an adversary as well as verifying the safety oracle in
The Nakamoto consensus protocol is subject to extensive
Isabelle/HOL.
analysis by Garay et al. [25] and Pass et al. [26] using a
synchronous and semi-synchronous setting respectively. They ACKNOWLEDGMENT
define three general properties of blockchain consensus proto- We would like to thank Yusuke Ishibashi for supporting
cols: common prefix, chain growth, and chain quality. This us with our questions concerning proofs in Isabelle. Further,we like to thank Bernardo David for comments on an earlier [19] I. Bentov, R. Pass, and E. Shi, “Snow white: Provably secure proofs of
version of this paper. stake,” https://eprint.iacr.org/2016/919.pdf, 2016, accessed: 2016-11-08.
[Online]. Available: https://eprint.iacr.org/2016/919.pdf
[20] P. Gaži, A. Kiayias, and A. Russell, “Stake-Bleeding Attacks on Proof-
R EFERENCES of-Stake Blockchains,” 2018 Crypto Valley Conference on Blockchain
Technology (CVCBT), pp. 85–92, 2018.
[1] V. Zamfir, N. Rush, A. Asgaonkar, and G. Piliouras, “Introducing the [21] V. Buterin and V. Griffith, “Casper the friendly finality gadget,”
”Minimal CBC Casper” Family of Consensus Protocols,” 2018. arXiv:1710.09437, 2017, accessed:2017-11-06. [Online]. Available:
[2] L. Lamport, R. Shostak, and M. Pease, “The byzantine generals https://arxiv.org/pdf/1710.09437.pdf
problem,” vol. 4, no. 3. ACM, 1982, pp. 382–401. [Online]. [22] Ethereum, “Ethereum 2.0 Specifications,” 2019. [Online]. Available:
Available: http://people.cs.uchicago.edu/∼shanlu/teaching/33100 wi15/ https://github.com/ethereum/eth2.0-specs
papers/byz.pdf [23] V. Zamfir, “Casper the friendly ghost: A correct by construction
[3] M. J. Fischer, N. A. Lynch, and M. S. Paterson, “Impossibility blockchain consensus protocol,” https://github.com/ethereum/research/
of distributed consensus with one faulty process,” vol. 32, no. 2. blob/master/papers/CasperTFG/CasperTFG.pdf, accessed 2018-06-27.
ACM, 1985, pp. 374–382. [Online]. Available: http://macs.citadel.edu/ [24] N. Rush and R. Nakamura, “CBC Casper Safety Oracle,” 2019. [Online].
rudolphg/csci604/ImpossibilityofConsensus.pdf Available: https://github.com/cbc-casper/cbc-casper-paper/pull/13
[4] S. Gilbert and N. Lynch, “Perspectives on the CAP Theorem,” [25] J. A. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone
Computer, vol. 45, no. 2, pp. 30–36, 2 2012. [Online]. Available: protocol with chains of variable difficulty,” http://eprint.iacr.org/
http://ieeexplore.ieee.org/document/6122006/ 2016/1048.pdf, 2016, accessed: 2017-02-06. [Online]. Available:
[5] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” https: http://eprint.iacr.org/2016/1048.pdf
//bitcoin.org/bitcoin.pdf, Dec 2008, accessed: 2015-07-01. [Online]. [26] R. Pass, L. Seeman, and a. shelat, “Analysis of the blockchain protocol
Available: https://bitcoin.org/bitcoin.pdf in asynchronous networks,” http://eprint.iacr.org/2016/454.pdf, 2016,
[6] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is accessed: 2016-08-01. [Online]. Available: http://eprint.iacr.org/2016/
vulnerable,” in Financial Cryptography and Data Security. Springer, 454.pdf
2014, pp. 436–454. [Online]. Available: http://arxiv.org/pdf/1311.0243 [27] C. Badertscher, U. Maurer, D. Tschudi, and V. Zikas, “Bitcoin as
[7] K. Nayak, S. Kumar, A. Miller, and E. Shi, “Stubborn mining: a transaction ledger: A composable treatment,” Cryptology ePrint
Generalizing selfish mining and combining with an eclipse attack,” in Archive, Report 2017/149, 2017, accessed:2017-09-26. [Online].
1st IEEE European Symposium on Security and Privacy, 2016. IEEE, Available: https://eprint.iacr.org/2017/149.pdf
2016. [Online]. Available: http://eprint.iacr.org/2015/796.pdf [28] B. David, P. Gaži, A. Kiayias, and A. Russell, “Ouroboros Praos: An
[8] L. Luu, J. Teutsch, R. Kulkarni, and P. Saxena, “Demystifying Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain,” in
incentives in the consensus computer,” in Proceedings of the Advances in Cryptology – EUROCRYPT 2018, J. B. Nielsen and V. Ri-
22nd ACM SIGSAC Conference on Computer and Communications jmen, Eds., vol. 46, no. 1. Cham: Springer International Publishing,
Security. ACM, 2015, pp. 706–719. [Online]. Available: http: 2018, pp. 66–98.
//www.comp.nus.edu.sg/∼prateeks/papers/VeriEther.pdf [29] V. Zamfir, “A Template for Correct-by-Construction Consensus
[9] K. Croman, C. Decker, I. Eyal, A. E. Gencer, A. Juels, A. Kosba, Protocols,” 2017. [Online]. Available: https://github.com/ethereum/
A. Miller, P. Saxena, E. Shi, and E. Gün, “On scaling decentralized research/blob/master/papers/cbc-consensus/AbstractCBC.pdf
blockchains,” in 3rd Workshop on Bitcoin and Blockchain Research, [30] Ethereum, “Correct-by-construction Casper Wiki,” 2019. [Online].
Financial Cryptography 16, 2016. [Online]. Available: http://www.tik. Available: https://github.com/ethereum/cbc-casper/wiki
ee.ethz.ch/file/74bc987e6ab4a8478c04950616612f69/main.pdf [31] M. Ali, J. Nelson, and A. Blankstein, “Peer Review: CBC
[10] I. Bentov, A. Gabizon, and A. Mizrahi, “Cryptocurrencies without Casper,” 2018. [Online]. Available: https://medium.com/@muneeb/
proof of work,” http://arxiv.org/pdf/1406.5694.pdf, 2014, accessed: peer-review-cbc-casper-30840a98c89a
2016-03-09. [Online]. Available: http://arxiv.org/pdf/1406.5694.pdf [32] A. Clement, F. Junqueira, A. Kate, and R. Rodrigues, “On the
[11] C. Badertscher, P. Gaži, A. Kiayias, A. Russell, and V. Zikas, “Ouroboros (limited) power of non-equivocation,” in Proceedings of the 2012 ACM
Genesis: Composable Proof-of-Stake Blockchains with Dynamic Avail- symposium on Principles of distributed computing - PODC ’12. New
ability,” Proceedings of the 2018 ACM SIGSAC Conference on Computer York, New York, USA: ACM Press, 2012, p. 301. [Online]. Available:
and Communications Security - CCS ’18, no. 780477, pp. 913–930, http://dl.acm.org/citation.cfm?doid=2332432.2332490
2018. [33] R. Nakamura, “Validator rotation in CBC Casper,” 2019. [Online].
[12] Y. Sompolinsky and A. Zohar, “Secure high-rate transaction processing Available: https://ethresear.ch/t/validator-rotation-in-cbc-casper/5200
in bitcoin,” in Financial Cryptography and Data Security. Springer, [34] V. Buterin, “CBC Casper and ETH 2.0,” 2019. [Online]. Available:
2015, pp. 507–527. [Online]. Available: http://www.cs.huji.ac.il/∼avivz/ https://docs.google.com/presentation/d/1kIurbXVXSY0YDoC8BzrfW
pubs/15/btc ghost full.pdf xP9XOwXZyEAGPdqcMt7VQ/edit#slide=id.p
[13] E. Buchman, “Tendermint: Byzantine fault tolerance in the age [35] T. Nipkow and K. Gerwin, Concrete Semantics: with
of blockchains,” http://atrium.lib.uoguelph.ca/xmlui/bitstream/handle/ Isabelle/HOL. Springer Verlag, 2017. [Online]. Available:
10214/9769/Buchman Ethan 201606 MAsc.pdf, Jun 2016, accessed: http://www.concrete-semantics.org/concrete-semantics.pdf
2017-02-06. [36] C. Ballarin, “Tutorial to Locales and Locale Interpretation,” 2012.
[14] M. Al-Bassam, A. Sonnino, S. Bano, D. Hrycyszyn, and G. Danezis, [Online]. Available: https://isabelle.in.tum.de/doc/locales.pdf
“Chainspace: A sharded smart contracts platform,” arXiv:1708.03778, [37] Isabelle, “Session HOL,” 2019. [Online]. Available: https://isabelle.in.
2017, accessed:2017-09-25. [Online]. Available: https://arxiv.org/pdf/ tum.de/dist/library/HOL/HOL/index.html
1708.03778.pdf [38] M. Ogawa and C. Sternagel, “Theory Restricted Predicates,” 2018.
[15] E. Kokoris-Kogias, P. Jovanovic, L. Gasser, N. Gailly, E. Syta, and [Online]. Available: https://www.isa-afp.org/browser info/current/AFP/
B. Ford, “Omniledger: A secure, scale-out, decentralized ledger via Open Induction/Restricted Predicates.html
sharding,” in 2018 IEEE Symposium on Security and Privacy (SP). [39] A. Fackler, “CBC Casper Lemma 6 and 9,” 2018. [Online]. Available:
IEEE, 2018, pp. 583–598. https://github.com/cbc-casper/cbc-casper-paper/issues/14
[16] A. Back, M. Corallo, L. Dashjr, M. Friedenbach, G. Maxwell, A. Miller, [40] G. Pı̂rlea and I. Sergey, “Mechanising blockchain consensus,”
A. Poelstra, J. Timón, and P. Wuille, “Enabling blockchain innovations Proceedings of the 7th ACM SIGPLAN International Conference on
with pegged sidechains,” https://blockstream.com/sidechains.pdf, 2014, Certified Programs and Proofs - CPP 2018, pp. 78–90, 2018. [Online].
accessed: 2016-07-05. [Online]. Available: https://blockstream.com/ Available: http://dl.acm.org/citation.cfm?doid=3176245.3167086
sidechains.pdf [41] Y. Hirai, “Formal methods on another Casper,”
[17] J. Poon and V. Buterin, “Plasma: Scalable autonomous smart contracts,” 2017. [Online]. Available: https://medium.com/@pirapira/
https://www.plasma.io/, Aug 2017, accessed: 2017-08-10. [Online]. formal-methods-on-another-casper-8a75f6e02073
Available: https://plasma.io/plasma.pdf [42] ——, “A repository for PoS related formal methods,” 2018. [Online].
[18] E. Blum, A. Kiayias, C. Moore, S. Quader, and A. Russell, “Linear Available: https://github.com/palmskog/pos
Consistency for Proof-of-Stake Blockchains,” 2018. [Online]. Available: [43] K. Palmskog, M. Gligoric, L. Pena, B. Moore, and G. Rosu, “Verification
https://eprint.iacr.org/2017/241 of Casper in the Coq Proof Assistant,” Tech. Rep., 2018.You can also read
